U.S. patent application number 11/535110 was filed with the patent office on 2008-03-27 for method and apparatus for providing a secure single sign-on to a computer system.
Invention is credited to David C. Challener, William F. Keown, Joseph M. Pennisi, David Rivera, Randall S. Springfield.
Application Number | 20080077986 11/535110 |
Document ID | / |
Family ID | 39226539 |
Filed Date | 2008-03-27 |
United States Patent
Application |
20080077986 |
Kind Code |
A1 |
Rivera; David ; et
al. |
March 27, 2008 |
Method and Apparatus for Providing a Secure Single Sign-On to a
Computer System
Abstract
A method for providing a secure single sign-on to a computer
system is disclosed. Pre-boot passwords are initially stored in a
secure storage area of a smart card. The operating system password,
which has been encrypted to a blob, is stored in a non-secure area
of the smart card. After the smart card has been inserted in a
computer system, a user is prompted for a Personal Identification
Number (PIN) of the smart card. In response to a correct smart card
PIN entry, the blob stored in the non-secure storage area of the
smart card is decrypted to provide the operating system password,
and the operating system password along with the pre-boot passwords
stored in the secure storage area of the smart card are then
utilized to log on to the computer system.
Inventors: |
Rivera; David; (Durham,
NC) ; Challener; David C.; (Raleigh, NC) ;
Keown; William F.; (Raleigh, NC) ; Pennisi; Joseph
M.; (Apex, NC) ; Springfield; Randall S.;
(Chapel Hill, NC) |
Correspondence
Address: |
DILLION & YUDELL LLP
8911 N. CAPITAL OF TEXAS HWY, SUITE 2110
AUSTIN
TX
78759
US
|
Family ID: |
39226539 |
Appl. No.: |
11/535110 |
Filed: |
September 26, 2006 |
Current U.S.
Class: |
726/20 |
Current CPC
Class: |
G06F 21/34 20130101 |
Class at
Publication: |
726/20 |
International
Class: |
H04L 9/32 20060101
H04L009/32 |
Claims
1. A method for providing a secure single sign-on to a computer
system, said method comprising: storing pre-boot passwords in a
secure storage area of a smart card; encrypting an operating system
password to generate a blob, and storing said blob in a non-secure
area of said smart card; prompting for a smart card personal
identification number (PIN) of said smart card after said smart
card has been inserted in said computer system; in response to a
correct smart card PIN entry, utilizing said pre-boot passwords
stored in said secure storage area and said operating system
password encrypted within said blob to log on to said computer
system.
2. The method of claim 1, wherein said encrypting further includes
encrypting said operating system password using a trusted platform
module (TPM) Seal command to a platform configuration register
(PCR).
3. The method of claim 2, wherein said utilizing further includes
decrypting said blob to yield said operating system password.
4. The method of claim 2, wherein said method further includes
hashing said smart card PEN using a TPM Extend command to a second
PCR.
5. A computer usable medium having a computer program product for
providing a secure single sign-on to a computer system, said
computer usable medium comprising: program code means for storing
pre-boot passwords in a secure storage area of a smart card;
program code means for encrypting an operating system password to
generate a blob, and for storing said blob in a non-secure area of
said smart card; program code means for prompting for a smart card
personal identification number (PIN) of said smart card after said
smart card has been inserted in said computer system; program code
means for, in response to a correct smart card PIN entry, utilizing
said pre-boot passwords stored in said secure storage area and said
operating system password encrypted within said blob to log on to
said computer system.
6. The computer usable medium of claim 5, wherein said program code
means for encrypting further includes program code means for
encrypting said operating system password using a trusted platform
module (TPM) Seal command to a platform configuration register
(PCR).
7. The computer usable medium of claim 6, wherein said program code
means for utilizing further includes program code means for
decrypting said blob to yield said operating system password.
8. The computer usable medium of claim 6, wherein said computer
usable medium further includes program code means for hashing said
smart card PIN using a TPM Extend command to a second PCR.
9. A computer capable of allowing a secure single sign-on, said
computer comprising: a secure storage area of a smart card for
storing pre-boot passwords; a trusted platform module (TPM) for
encrypting an operating system password to generate a blob; a
non-secure storage area of said smart card for storing said blob; a
smart card reader for prompting for a smart card personal
identification number (PIN) of said smart card after said smart
card has been inserted in said computer system; means for, in
response to a correct smart card PIN entry, utilizing said pre-boot
passwords stored in said secure storage area and said operating
system password encrypted within said blob to log on to said
computer system.
10. The computer of claim 9, wherein said TPM encrypts said
operating system password using a TPM Seal command to a platform
configuration register (PCR).
11. The computer of claim 10, wherein said means for utilizing
further includes means for decrypting said blob to yield said
operating system password.
12. The computer of claim 10, wherein said computer further
includes means for hashing said smart card PIN using a TPM Extend
command to a second PCR.
Description
BACKGROUND OF THE INVENTION
[0001] 1. Technical Field
[0002] The present invention relates to computer security in
general, and, in particular, to a method and apparatus for
providing security management in computer systems. Still more
particularly, the present invention relates to a method and
apparatus for providing a secure single sign-on to a computer
system.
[0003] 2. Description of Related Art
[0004] Today, in order to log on to a secured personal computer
system, a computer user is required to enter a power-on password
(POP) before computer boot, a hard-drive password (HDP) to allow
the basic input/output system (BIOS) to boot the operating system,
and an operating system password to log onto the operating system.
Additionally, if the computer user uses a smart card, the computer
user is also required to enter a smart card personal identification
number to allow access to the protected information on the smart
card after the computer user has logged on to the personal computer
system. Thus, there are potentially four different passwords a
computer user has to remember, which most computer users would find
annoying. Besides, the likelihood of misplacing passwords is higher
with more passwords.
[0005] Most computer users tend to prefer the number of passwords
they need to enter for logging onto a secured personal computer
system to be reduced. Almost all computer users prefer the time
from a computer system being turned on to the time the computer
system being ready to use to be as short as possible.
[0006] Consequently, it would be desirable to provide an improved
method and apparatus for providing a secure single sign-on to a
computer system.
SUMMARY OF THE INVENTION
[0007] In accordance with a preferred embodiment of the present
invention, pre-boot passwords are initially stored in a secure
storage area of a smart card. The operating system password, which
has been encrypted to a blob, is stored in a non-secure area of the
smart card. After the smart card has been inserted in a computer
system, a user is prompted for a Personal Identification Number
(PIN) of the smart card. In response to a correct smart card PIN
entry, the blob stored in the non-secure storage area of the smart
card is decrypted to provide the operating system password, and the
operating system password along with the pre-boot passwords stored
in the secure storage area of the smart card are then utilized to
log on to the computer system.
[0008] All features and advantages of the present invention will
become apparent in the following detailed written description.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] The invention itself, as well as a preferred mode of use,
further objects, and advantages thereof, will best be understood by
reference to the following detailed description of an illustrative
embodiment when read in conjunction with the accompanying drawings,
wherein:
[0010] FIG. 1 is a block diagram of a computer system in which a
preferred embodiment of the present invention is incorporated;
and
[0011] FIG. 2 is a high-level logic flow diagram of a method for
setting up a secure single sign-on to a computer system, in
accordance with a preferred embodiment of the present invention;
and
[0012] FIG. 3 is a high-level logic flow diagram of a method for
using a secure single sign-on to a computer system, in accordance
with a preferred embodiment of the present invention.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
[0013] Referring now to the drawings and in particular to FIG. 1,
there is depicted a block diagram of a computer system in which a
preferred embodiment of the present invention is incorporated. As
shown, a computer system 100 includes a processing unit 102 and a
memory 104. Memory 104 includes a volatile memory 105 (such as a
random access memory) and a non-volatile memory 106 (such as a
read-only memory). Computer system 100 also contains removable
storage media devices 108, such as compact discs, optical disks,
magnetic tapes, etc., and non-removable storage devices 110, such
as hard drives. In addition, computer system 100 may contain
communication channels 112 for providing communications with other
computer systems on a network 120. Computer system 100 may also
have input components 114 such as a keyboard, mouse, etc., and
output components 116 such as displays, speakers, printers,
etc.
[0014] A Trusted Platform Module (TPM) 117 is included within
computer system 100 to provide secure generations of cryptographic
keys, and limits the use of those keys to either
signing/verification or encryption/decryption, as it is known to
those skilled in the art. TPM 117 can be utilized to ensure that
data being used to grant access to the operating system of computer
system 100 is maintained securely.
[0015] When a computer user wants to access a computer, such as
computer system 100, the system BIOS prompt the computer user for a
smart card personal identification number (PIN) entry. Upon
successful verification of the provided PIN of the smart card, the
pre-boot password(s) of the computer user can be retrieved from a
secure storage area of the smart card. The pre-boot password(s) can
then be used to allow the computer system to boot. Once the
verification has been completed, the operating system should be
able to trust that the computer user has been authenticated and be
able to safely retrieve the operating system logon credentials.
Platform Configuration Register (PCRs) of a TPM provide a mechanism
for such trust to be established. The logon credentials for an
operating system can be sealed to a PCR such that the data in the
PCR can only be unsealed after a valid smart card PIN has been
provided by the computer user.
[0016] Two steps are preferably required to maintain a secure
single sign-on: initial setup and normal usage. During the initial
setup, the pre-boot password is recorded into a protected area of a
pre-initialized smart card, and the operating system password is
converted into a TPM-encrypted binary large object (blob) to be
stored on a smart card. During the normal usage, the pre-boot
password is retrieved from the smart card to allow computer boot,
and the encrypted operating system password is used for logging
onto the operating system.
[0017] The following description is based on a personal computer
system having the Windows.RTM. operating system manufactured by the
Microsoft.RTM. corporation; however, it is understood by those
skilled in the art that the present invention is applicable to a
personal computer using any operating system. For the
Microsoft.RTM. Windows.RTM. operating system, the operating logon
process is defined in the Graphical Identification and
Authentication (GINA) interface.
Setup Process
[0018] With reference now to FIG. 2, there is depicted a high-level
logic flow diagram of a method for setting up a secure single
sign-on to a computer system, in accordance with a preferred
embodiment of the present invention. Starting at 200, a computer
user logs on to a computer system using an operating system
password as usual, and the secure single sign-on configuration
software is then launched, as depicted in block 210. After a smart
card has been inserted by the computer user to a smart card reader
associated with the computer system, the computer user is prompted
by the configuration software for a smart card PIN, as shown in
block 220. A successful smart card PIN entry by the computer user
unlocks the secure storage area within the smart card. Then, the
computer user is prompted by the configuration software for various
passwords that are required to log on to the computer system, as
depicted in block 230. The various passwords may include pre-boot
passwords and operating system password. The pre-boot passwords,
such as power-on password (POP) and hard-drive password (HDP), are
written to the secure storage area of the smart card, as shown in
block 240. The secure storage area of the smart card can be locked
after all the pre-boot passwords have been entered by the computer
user.
[0019] The smart card PIN is hashed using the TPM Extend command to
a PCR, as shown in block 250. The operating system password is
encrypted using the TPM Seal command to the PCR to generate an
encrypted blob, as depicted in block 260. The encrypted blob is
then stored in the non-secured area of the smart card, as shown in
block 270.
Usage Process
[0020] Referring now to FIG. 3, there is illustrated a high-level
logic flow diagram of a method for using a secure single sign-on,
in accordance with a preferred embodiment of the present invention.
Initially, a computer user is prompted for a smart card and its PIN
after the computer system has been turned on, as shown in block
310. The smart card PIN is then verified with the smart card, as
depicted in block 320, and a successful smart card PIN entry
unlocks the secure storage area of the smart card.
[0021] Pre-boot passwords are then read from the secure storage
area of the smart card, as shown in block 330, and the secure
storage area of the smart card can then be locked again. The BIOS
validates the pre-boot passwords using well-known methods, as
depicted in block 340, and continues with the boot up process.
[0022] The operating system logon process then reads the encrypted
blob from the non-secure area of the smart card, and decrypts the
blob to yield the operating system password, as depicted in block
350. Only a valid smart card PIN entry allows this data to be
unsealed, and the operating system measurements assure that only
the expected operating system configuration allows such data to be;
decrypted; thus, unauthorized usage of this data by some other boot
source can be prevented. The operating system password can then be
used for normal operating system logon.
[0023] The single sign-on process will be affected by a change in
the smart card PIN, the pre-boot password(s), or the operating
system logon password. In the event that the PIN changes, the
decryption of the data in the PCR by the operating system logon
process will fail. When this occurs, the logon process can assume
that a change in the smart card PIN had occurred, and the software
code used in the above-described setup process can be executed
again automatically, forcing an update to the encrypted blob as
described in the setup process. After completion of the
re-execution, the operating system password can be successfully
decrypted in subsequent boot ups, as described in the
above-described usage process.
[0024] In the event the pre-boot password(s) are changed, the BIOS
will not be able to successfully authenticate the pre-boot
password(s) on the smart card. The computer system should then
prompt for entry of the current pre-boot password(s), validate, and
update the pre-boot password(s) that are stored in the secure area
of the smart card.
[0025] If the operating system logon password has changed, the
operating system logon code that decrypt the encrypted blob will
get a failure from the operating system, which indicates an invalid
operating system password was provided. When this occurs, the logon
process can allow the setup process to be executed again, forcing
the computer user to re-enter the smart card PIN and the operating
system password again. This will update the encrypted blob, and on
subsequent boots, the correct operating system password can be
retrieved using the usage process.
[0026] As has been described, the present invention provides a
method and apparatus for providing a secure single sign-on to a
computer system. The present invention provides a secure and
trusted path for the BIOS to retrieve pre-boot authentication data
from a smart card, and allows the operating system to retrieve the
logon credentials from the smart card using an embedded security
chip to provide the foundation of trust and security in the
transaction.
[0027] The usage of a smart card also allows a computer user to use
a single sign-on capability on multiple computer systems. Any
computer system configured with the same pre-boot passwords can be
accessed by the computer user having the same smart card, which
would be beneficial in a domain roaming environment. A computer
user can use his/her smart card to gain access to all the computer
systems by entering a smart card PIN once.
[0028] It is also important to note that although the present
invention has been described in the context of a fully functional
computer system, those skilled in the art will appreciate that the
mechanisms of the present invention are capable of being
distributed as a program product in a variety of forms, and that
the present invention applies equally regardless of the particular
type of signal bearing media utilized to actually carry out the
distribution. Examples of signal bearing media include, without
limitation, recordable type media such as floppy disks or compact
discs and transmission type media such as analog or digital
communications links.
[0029] While the invention has been particularly shown and
described with reference to a preferred embodiment, it will be
understood by those skilled in the art that various changes in form
and detail may be made therein without departing from the spirit
and scope of the invention.
* * * * *